An interesting Microsoft Research paper by Cormac Herley titled “Why do Nigerian scammers say they are from Nigeria” provides an answer to a question that has worried many email administrators over the years, viz. how do so many users fall for the worst-written scams? By now surely the vast majority of email users know that receiving a message that proudly proclaims to be from Nigeria carries a high risk of being scam, unless of course you are from Nigeria or have other connections with that country.
The kind of thing I mean are the heartfelt appeals from people who apparently have fallen on hard times because their father/brother/husband/wife/other relative has been killed/removed from office/disappeared/fallen foul of some government bureaucrats. All would be well if you would only extend a helping hand by helping this unfortunate to extract money/gold/diamonds/other valuables out of the country. Fortunately your correspondent has had the foresight and wisdom to set everything up for the transfer to take place and only needs details of your bank account to make it all happen. And perhaps some money that your new friend will use to grease the palms of whomever needs to be bribed before the valuables can be transferred. When everything is done, you’ll end up with 20/25/50%. The path to great wealth is truly obvious.
At least it is to the target section of society to whom the scammers direct their efforts. In a nutshell, the research paper tells us that stupid people are targeted. They might not be stupid in other parts of their life, but they certainly are to be taken in by the kind of badly-written (almost illiterate at times) fairy stories that land in their inbox. The paper says ” By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.” In other words, the scammer isn’t worried that most recipients delete their appeals without bothering to read the text, but those who do and become interested (the self-selected) are likely to respond to the scammer and become a potential source of profit.
Although a very small percentage of the overall recipients respond positively to the scam email, sufficient do to make the venture worthwhile. Later on, the paper explains that scammers couldn’t handle a higher response rate because of the time and effort required to lead (by the nose) a victim through all the steps from responding to the initial appeal to transferring money from the victim’s bank accounts to Nigeria. As the paper notes, “Credentials may be stolen by the millions, but emptying bank accounts requires recruiting and managing mules. The endgame of many attacks requires per-target eﬀort. Thus when cost is non-zero each potential target represents an investment decision to an attacker.” Lots of complex math is then explained to illustrate the underlying complexity of scam economics. I must say I thought that the issue could be boiled down to “find an idiot and relieve them of their money”, but it’s good to know that there’s a solid body of work to prove the truth of this adage.
Nigeria isn’t the only source of email scam. Quite a few appeals have recently been seen from folks who apparently were friendly with the late Libyan dictator. The example shown below contains many of the characteristics of the classic scam: an unbelievable story (to most) linked to promises of great riches if only you’d help.
The “419eater” or “Hoaxeater” sites contain all the details you need to know about the kind of email scams discussed here. “419” refers to the section of the Nigerian criminal code that deals with fraud and along with lots of information about the various tactics used by scammers to persuade their victims to send money, the “419eater” site gives advice to people who want to play along with the scammer to waste their time. This practice is called “scambaiting” and is explained thus: “So what is scambaiting? Well, put simply, you enter into a dialogue with scammers, simply to waste their time and resources. Whilst you are doing this, you will be helping to keep the scammers away from real potential victims and screwing around with the minds of deserving thieves.” It sounds like a very good thing to do, if you have the time and inclination to mess with scammers.
The Microsoft Research paper is an interesting read. However, the bottom line continues to be that unsolicited email from a third-party who appears to have led a pretty interesting life but is now facing some challenges to extract money from some country of which you know nothing is probably a bad thing. The scam has been ongoing for a very long time and although the vast majority of 419 messages are intercepted by anti-spam technology, some will get through. Proactively educating users (and maybe your own family) about fraud is a great way to help ensure that the spammers have fewer suitable targets to go after. That is, until the scientists find a way to eradicate the gene that dupes people into falling into the tender mercies of those who will cheerfully empty their bank accounts.
Follow Tony @12Knocksinna